From the U.S. Government Accountability Office, www.gao.gov
Transcript for: IRS's Protection of Taxpayer Data
Audio interview by GAO staff with Greg Wilshusen, Director, Information
Technology
Related GAO Work: GAO-12-392: Information Security: IRS Needs to Further
Enhance Internal Control over Financial Reporting and Taxpayer Data
Released: March 2012
[ Background Music ]
[ Narrator: ] Welcome to GAO's Watchdog Report, your source for news and
information from the U.S. Government Accountability Office. It's March
2012. The Internal Revenue Service relies on security controls to
protect the sensitive taxpayer data it has on its computer systems. A
group co-led by Greg Wilshusen, a director in GAO's Information
Technology team, recently reviewed the effectiveness of IRS's controls
in protecting this sensitive information. GAO's Jeremy Cluchey sat down
with Greg to learn more.
[ Jeremy Cluchey: ] What sorts of taxpayer information is IRS
responsible for protecting?
[ Greg Wilshusen: ] Well, the IRS maintains a vast amount of sensitive
personal information about taxpayers. This information includes taxpayer
name, home address, Social Security number, as well as income and
deductions and all the other information that taxpayers may include on
their tax returns, as well as data that is supplied about the taxpayer
from those taxpayers' employers. And this information needs to be
protected because it has value to those individuals or groups that wish
to commit identity theft, fraud, or other financial crimes.
[ Jeremy Cluchey: ] And in this report your team looked at IRS's
controls and procedures around its financial and tax processing systems
to see how this data is handled. What did you find?
[ Greg Wilshusen: ] Well, we found that IRS implemented numerous
controls and procedures that are intended to protect this information.
Nevertheless, weaknesses in these controls jeopardize the
confidentiality, integrity, and availability of the IRS's tax systems,
financial systems, as well as the taxpayer data.
[ Jeremy Cluchey: ] Can you elaborate a little bit on what you mean by
control weaknesses that you identified?
[ Greg Wilshusen: ] Well, sure. We found that the Internal Revenue
Service had not always implemented controls that are intended to
prevent, limit, and detect unauthorized access to its systems and data,
and these include deficiencies in the controls that are used to identify
and authenticate users, such as implementing strong passwords. We also
found that IRS did not always restrict unneeded access to certain key
information services as well as data servers. And we've also found that
IRS did not always encrypt sensitive information as it was being
transmitted across its internal networks.
[ Jeremy Cluchey: ] This report also follows up on past GAO work that
reviewed these controls and made previous recommendations to IRS. To
what extent has there been an improvement?
[ Greg Wilshusen: ] Well, it's not as much as we had hoped or even IRS
had hoped. As you know from our previous report, we had about 105
outstanding recommendations and weaknesses that we've reported. IRS
reported that it had corrected about 29 of these, or which is just about
a quarter of those previously reported weaknesses. However, when we
actually did our test to determine the effectiveness of IRS's corrective
actions over these 29 recommendations that they said that they
implemented, we found that they hadn't implemented all of them or fully
implemented 13, or 45 percent of the 29 that they had indicated they
corrected.
[ Jeremy Cluchey: ] And in this latest report, what steps is GAO
recommending IRS take?
[ Greg Wilshusen: ] Well, we're recommending thatóin addition to our
prior recommendations that we made in our prior reportsówe are also
recommending that IRS take actions to implement a comprehensive
information security program, and in part by enhancing their procedures
for monitoring the effectiveness of controls over their systems, as well
as expanding the tests that they perform to address access controls as
well as system configurations to assure that those controls are
effectively implemented. In addition, we are also making 24
recommendations that address specific internal control deficiencies,
information security deficiencies, that we identified during the course
of the audit.
[ Jeremy Cluchey: ] For taxpayers who are right now gearing up for this
year's filing season, what's the bottom line here?
[ Greg Wilshusen: ] Well, first and foremost, they should certainly obey
the tax laws and file their returns, and IRS will endeavor to try to
protect that information as best as it can. However, our results have
found that IRS still needs to do more in order to appropriately protect
the information that taxpayers deserve.
[ Background Music ]
[ Narrator: ] To learn more, visit gao.gov and be sure to tune in to the
next episode of GAO's Watchdog Report for more from the congressional
watchdog, the U.S. Government Accountability Office.